Multiple Portals for Global protect -Configuration check-Inputs needed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple Portals for Global protect -Configuration check-Inputs needed

L4 Transporter

Hello ;

 

For one our Customer running PA 3200 Series in HA having GP License ( HIP checks)

 

Currently the GP Portal and Gateway have common Interface  . The GP URL is vpn.connection.it ( sample name)

 

The requirement is that 

 

Internal Users use  the URL  :  internal.vpn.connection.it

External Users(Partners) use the URL : external.vpn.connection.it

 

The Users are part of different user groups .

 

So can we achive this using the same ( Single Public ) IP address or do we need two Public IP address 

 

We can to use different HIP profiles for Internal and External users . 

 

Do we need to create two different tunnel interface or loopbacks ? or two different gateways ?

 

 

1 accepted solution

Accepted Solutions

Hey @FWPalolearner ,

 

I understand that you use loopback for GP portal and gateway and use NAT to translate the public to the loopback. I still don't understand why you do this way instead of use the eth1/1 in the GP portal and gateway on first place.

 

But let discuss the other point - "But I can still create a gateway with same loopback" even if you somehow manage to use same interface/ip on multiple gateway you should receive error during commit. Think about it - all comes done to sockets, creating GP gateway will create TCP socket which FW will listen for connections. Sockets consists of ip and port and you can have different services/application on different combination of ip and port. If you create second GP gateway you need to create second socket and since you cannot use different port (always using the standard port for SSL or IPSec)  the only part you can change is the ip. Assigning same int and ip to both GP gateways will try to create two exactly the same sockets which will generate commit error.

 

And the same concept for the sockets apply for your NAT rules. I assume that you have NAT rule says "any public source to dest x.x.x, nat to any public source to dest 192.168.1.75". If you create second NAT rule similar to above, but with dest 192.168.1.76, the second nat will never hit (because the first math will be applied). Again you can play with ports as GP doesn't allow you change default ports, so the only way for the fw to apply the different nat rules is to use source ip address as matching criteria, but this defied the purpose of remote access vpn, because you will need to know from which public ip will the users connect.

View solution in original post

17 REPLIES 17

L4 Transporter

Hi,

 

you can achive this with configuring an Internal Gateway and an external Gateway and one or two portal, the Internal Gateway is an interface on your internal Network, External Gateway accessed from Outside normally out from internet (Public-IP)  - Tunnel interface required here.

for more information check these out

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-quick-configs/...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

 

 

Hi @Abdul-Fattah 

Thanks for your reply

 

We are already have an Internal gateway which is being used currently only by Internal users when they are in Corporate network

 

The goal is this exercise is when Users connect to the GP outside of the company network ( internet or at home)

 

All the Corporate Users should use the URL  internal.vpn.X . Different HIP profile , different IP Pool . different zone and different rules

 

All the Non Corporae users should use the URL  external.vpn.X . Different HIP profile , different IP Pool . different zone and different rules

 

So my Query is whether we need two Tunnel Interfaces( One for each external Gateway) and two Loop backs ( one for each Portal )

 

So do i have to create two external gateways using two different loopbacks 

 

and in the Portal settings define difference Address( FQDN) ?

 

Also , do i need two Public IPs ? or 1 can solve the purpose

then what you need is 2 external gateways, two tunnels, two public Ips.

another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed .

Hi @FWPalolearner ,

 

I suggestion is to always avoid multiple ip address on same interface like you would avoid a plague/covid. I cannot claim I have deploy lots of GPs, but I haven't yet saw a real need to configure multiple portals on single device, so I  will try to avoid such setup as well.

As @Abdul-Fattah mentioned you can provide single portal and once the user authenticate you can have group/user base separation (have different ip pool, dns, access etc for each user group). This would be the easiest way to have complete separation between internal users and contractors/3rd-party. The problem with this approach is that both type of users will need to use same authentication type. You can use different domain for user authentication, but the the type (LDAP, RADIUS, etc) must be the same for both (if you use mfa over radius you can be creative, but it is up to the mfa and not the fw). And as you can imagine both type of users will use the same vpn address. 

 

If you really  want internal users to use one address and contractors/external user to use completely different address - the only way to achieve this is to have second portal/gateway. As mentioned I would avoid secondary IP, instead I would recommend to use loopback (configure loopback with public ip, put it in untrust/outsie zone and use it for the gp portal and gw).

 

The only benefit I can think of is that you can apply different authentication type for each user group, so it is interesting for me to understand the reason why you need separate addresses

Hi @aleksandar.astardzhiev @Abdul-Fattah 

 

Thanks for your inputs ; really appreciate

 

The Customer requirement is to use two different URLs . I understand that we use different user groups  but user groups are already in place

 

thre requirement is to have different URL and Different Portal

 

So what i understood , we need below on PA cluster - can you please confirm :

 

1) two GP Gateways with two Loopbacks ?  two GP portals - where in - for one we define the URL for external and for other the internal one

 

2) two tunnel interfaces , two loopbacks - with different IPs

 

3) two zones - one for Internal and one for external ?

 

I still have doubt, why cant we use the same Public IP as we can make both DNS entries to resolve to same IP

two domains resolving to same IP, for palo alto you are using only one IP. the Firewall does not care about Public-domains. as i mentioned earlier :

"another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed ."

and for portal you change nothing.

 

Good Luck. 

 

Hey @FWPalolearner ,

 

You can setup both DNS records to resolve to same IP, but:

- First you need to apply wildcard certificate on the portal or use certificate with SAN (subject alternative names)

- Even the users are pointed to different addresses they are still ended on the exact same portal, so they will be prompted with exact same authentication. This really annoys me with GP portal, there is no way to use multiple authentication realms and provide a way for the user to select/navigate to required auth realm.

 

So as long as you will use the same authentication type (LDAP, radius, etc) for all users (external and internal) you should be fine using two DNS records pointing to the same ip and having one portal. The important think here is the SSL certificate that will be used for the portal - either it must be wildcard (to match both urls) or it must list both in SAN (subject alternative names). 

 

Your really don't need two gateways. You can use same gateways for both external and internal users, and using user group to apply different settings. The problem is again with the address, however during GP portal config you can specify different gateway addresses for each user group. So you can actually the exact same DNS records that you are using for the portal. And for the GP gateway you need to use the same SSL certificate (either wildcard or with SAN)

 

 

@aleksandar.astardzhiev  

you can leverage "authentication-sequence" and select multiple authentication types/profiles (LDAP,Radius,Local..) and use it for Portals and Gatways.

Hey @Abdul-Fattah ,

 

You are absolutely right... I forgot about the authentication sequence, thanks.

 

Hi @aleksandar.astardzhiev @Abdul-Fattah 

 

Can't thank you enough for your support and inputs.  

 

I will share my change plan with you to have a final look in it please. I will share it quickly

@aleksandar.astardzhiev @Abdul-Fattah 

 

Below is what i am planning can you and provide your input

************************************

What we have now

the VPN URL we are using now is vpn.connect.it which resolves to the IP of Public Interface of the firewall

FW Public Interface : x.x.x.x

FW public zone : INTERNET

Loopback Interface : loopback.1 with an IP 192.168.75.1 bind to a zone called GP
Tunnel interface : tunnel.1 Bind to zone GP

Portal Config :

We have the Authentication sequence and a Wildcard in the SSL Service Profile for *.connect.it

We are using loopback.1 as the Interface . We are having the User groups defined in the Agent config

In the Agent config in the External Section , we have defined Host name  vpn.connect.it


Gateway Config :

We are using the same loopback.1

same wildcard

In the agent we are using tunnel.1

and we have a Pool allocated for all the users defined in the user group

 

 

----------------------------------------------------------------------------------------
Now as we want separate Portal for Corp users and Partners , here is my plan


Create another DNS entrie for

partner.external.it

 

The Corp users will continue to use vpn.connect.it

both will resolve to x.x.x.x

 

Create a new Loopback loopback.2 with an IP 192.168.76.1 and bind to zone GP-EXT
Create a new Tunnel interface tunnel.2 and bind to zone GP-EXT

Portal Config :

Create a new Portal with loopback.2 and same auth sequence ;same wildcard
in the agent config in external section , define partner.external.it and in user groups only external AD users

 

Gateway Config

Use Loopback.2
same wildcard
In the agent , define tunnel.2 and separate pool for external users


Configure the required Firewall rules for new zone GP-EXT

 

The Point here is

currently


x.x.x.x is natted to 192.168.75.1

So how to NAT it to 192.168.76.1 for external users ??

 

Do i have to use another Public IP then 

 

Hey @FWPalolearner ,

 

From your explanation I don't believe you will need the second portal/gateway/loopback/tunnel.

 

1. Create new DNS record for external.connect.it to FW public x.x.x.x

2. Under the current portal create two "agent" configs based on user group, one for internal and one for partner users.

3. In first config set for external gateway "internal.connect.it", and for second agent config set "external.connect.it" 

4. Under the current gateway create two client settings based on the two user groups (gateway -> agent -> client settings).

5. Under each client settings configure IP pool. Important note here is that you must not use Client IP Pool (gateway ->agent -> client ip pool). On this tab you define one single IP pool for all connected users, no matter which user group they are. To be able to configure different ip pool for each user group you must remove any config from client ip pool tab and put it under the client settings

 

And that should be enough. If you think for a moment only difference between the two "portals" is the FQDN that users are using, which really doesn't matter as long as you have a valid certificate to cover both addresses. Everything else should be standard user group based separation which you can accomplish with single portal and gateway.

@aleksandar.astardzhiev  Thanks a lot . This is now very much easy and you made it very clear

 

I just have last doubt still .

 

Can i create a second tunnel interface and bind it to a new zone 

 

This way i will create two GP gateways with two different tunnel interfaces - one for Corp and other for External

 

The only point is this will provide more security because we will have different Zones and can use them specifically

 

Kindly let me know your feedback on this 

 

Again Many many Thanks . you are a saviour 🙂

Hey @FWPalolearner ,

 

If you want to have separate gateway you definitely must use different IP, because you cannot have more than one GP gateway (or portal) on same interface. 

 

But I would suggest to think for a moment if you really gain any benefit separating users into zones:

1. You already separate users based on user groups and assign different IP pools. Even that both type of users (internal and partners) are coming from same zone you still can use source user group and source ip to granular control over the user access.

2. If you worry about restricting access between VPN users (partner user connected to vpn to reach internal vpn user), I am not 100% sure at the top of my head, but I believe you can simply configure explicit intrazone rule to control the traffic between users.

 

Again even that all users are associated with same zone you still have other methods to differentiate between them.

  • 1 accepted solution
  • 7693 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!